We are very pleased to announce the availability of the phpBB3 RC7 package, the "We are sorry and love our support team" edition. This release fixes some critical issues which arised with the recently released Release Candidate 6, basically fixing some bbcode problems as well as missing form tokens. On the downloads page we provide two update packages this time, one for going from RC5 to RC7 and one for going from RC6 to RC7.
This release is mostly the outcome of an external security audit performed by
SektionEins. All items tagged as [Sec] were found by the company doing the audit and revealed some fundamental problems we were able to fix. We are proud that the audit revealed no sql injection vulnerability or critical command execution vulnerabilities.
For release candidates full support is given, allowing language packs as well as modifications and styles. We only give support to those having a clean RC installation or updates from previous release candidates. Previous conversions or updates from betas will not be supported here. We encourage only those running the release candidates wanting to test out the new version, it is still recommended to wait for the full release; after all this is a release candidate.
Please also note that we urge you to update - we only support the latest version. Bug reports submitted for previous releases will be closed as well as only the latest version being supported here.
RC6/RC7 has seen some improvements as well as fixing some security issues. Some important fixes are:
[*][Fix] Further fixing user profile view (please do not forget to update/refresh your template and style) (Bug #14230)
[*][Fix] Adjust
google adsense bot information (Bug #14296)
[*][Fix] Fix horizontal scrollbar problem in IE6 (Bug #14228) - fix provided by Danny-dev
[*][Fix] Correctly set user style for guest user (able to be changed within user management)
[*][Change] Moved note about dns_get_record function for using GTalk (Jabber) from Jabber log to Jabber ACP panel
[*][Fix] Do not use register_shutdown_function within cron.php if handling the queue and the mail function being used (Bug #14321)
[*][Fix] Fixing private message on-hold code if moving messages into folder based on rules (Bug #14309)
[*][Fix] Allow the merge selection screen to work (Bug #14363)
[*][Change] Require additional permissions for copying permission when editing forums
[*][Fix] Local magic URLs no longer get an additional trailing slash (Bug #14362)
[*][Fix] Do not let the cron script stale for one hour if register_shutdown_function is not able to be called (Bug #14436)
[*][Feature] Added /includes/db/db_tools.php file, which includes tools for handling cross-db actions such as altering columns, etc.
[*][Fix] Fixed token handling in jabber class for extremely spec-compliant XMPP server (Bug #14445)
[*][Change] Listing the board url within the email text instead of appending it to the subject (Bug #14378)
[*][Fix] Use correct dimension (width x height) in ACP (Bug #14452)
[*][Feature] Added completely new hook system to allow better application/mod integration - see docs/hook_system.html
[*][Fix] Fixing google cache display problems with Firefox (Bug #14472) - patch provided by Raimon
[*][Change] Allow years in future be selected for date custom profile field (Bug #14519)
[*][Feature] Added an option to enforce that users spend a configurable amount of time on the terms page during registration
[*][Sec] Fixing possible XSS through compromised WHOIS server (#i63, #i64)
[*][Sec] Missing access control on whois in viewonline.php (#i51)
[*][Sec] Encoding some variables within user:
😛age array correctly (to cope with browser not doing it correctly) to prevent XSS through functions re-using them (#i61)
[*][Sec] Fixed XSS through memberlist search feature (#i62)
[*][Sec] Fixed XSS through colour swatch (#i65)
[*][Sec] Fixed insecure attachment deletion (#i53)
[*][Sec] Only allow whitelisted protocols in meta_redirect/redirect (#i66)
[*][Sec] Check file names to be written in language management panel (#i52)
[*][Sec] Deregister globals if ini_get has been disabled (#i112)
[*][Sec] Added form tokens to most forms to enforce a lighter variant of CSRF protection (#i91 - #i96)
[*][Sec] Use new password hash method for forum passwords (#i43)
[*][Sec] Changed download file location to prevent flash crossdomain policies taking effect (#i8)
[*][Sec] Do not allow autocompletion for password on admin re-authentication (#i41)
[*][Sec] Made sure users are not completely locked out if they have a GLOBALS cookie (#i101)
[*][Sec] Use the secure hash to generate BBCODE_UIDs (#i71)
[*][Sec] Increase the length of BBCODE_UIDs (#i72)
[*][Sec] New password hashing mechanism for storing passwords (#i42)
[/list]
Please refer to the changelog for a complete list of fixes since RC5:
http://www.phpbb.com/support/documents. ... &version=3
A short explanation of how to do a conversion, installation or update is included within the provided INSTALL.html file, please be sure to read it. If you want to be on the safe side we suggest still waiting for later releases before you fully convert your 2.0.x installation.
Important
Due to the password storage mechanism changed, you will not be able to log in to your board if you try to use the updated database with files prior to RC6.
Minimum Requirements
phpBB3 has a few requirements which must be met before you are able to install and use it.
[*]A webserver or web hosting account running on any major Operating System with support for PHP
[*]A SQL database system, one of:
[*]MySQL 3.23 or above (MySQLi supported)
[*]PostgreSQL 7.3+
[*]SQLite 2.8.2+
[*]Firebird 2.0+
[*]MS SQL Server 2000 or above (directly or via ODBC)
[*]Oracle
[/list]
[*]PHP 4.3.3+ (>=4.3.3, >4.4.x, >5.x.x, >6.0-dev (compatible)) with support for the database you intend to use.
[*]getimagesize() function need to be enabled
[*]These optional presence of the following modules within PHP will provide access to additional features, but they are not required.
[*]zlib Compression support
[*]Remote FTP support
[*]XML support
[*]Imagemagick support
[*]GD Support
[/list]
[/list]The presence of each of these optional modules will be checked during the installation process.
Security
Security issues found should be reported to our
security tracker in the usual way.
